14 DAY TRIAL // An undocumented administrative account with a default password was discovered in the HP StorageWorks P2000 G3 MSA network storage solution, putting all such devices at risk of unauthorized access.
This model normally comes with an account called "manage" (password "!manage") for customers to customize and use.
However, it was discovered that a default account called "admin" with password "!admin" also exists on the device and, according to the H Security, it doesn't appear in the user manager and cannot be deleted.
The "admin" user has permissions to modify the equipment's settings or the operating system and given that most people don't know of its presence, it puts devices at risk.
HP confirmed the problem and said that this service administrator account "has necessary privileges that are used by internal processes running on the array."
Fortunately, it looks like the password can be modified. "If the 'admin' account raises a security concern, [it's] password can be modified by using the Command Line Interface (CLI), through telnet or SSH, to change the default password," the company wrote in an advisory.
This is pretty straightforward and involves issuing the "set password" command after logging in as "admin" via the command line.
"The practice of embedding hardcoded passwords, as demonstrated in this most recent HP storage device example, is not only commonplace, but extremely risky," Shlomi Dinoor, vice president of emerging technologies at identity management solutions provider Cyber-Ark Software, told SecurityWeek.
"So too is the practice of attempting to ship systems with 'hidden' admin users, but in this age of openness, nothing is hidden, and vendors should know that," he added.
One example of how things can go wrong when implementing default hidden passwords is the notorious Stuxnet industrial espionage worm, which makes use of a hardcoded access code to read information from the database of Siemens WinCC SCADA systems.